By
installing the free app, the user actually downloads a hidden program
connecting their handset to a command and control server in Hong Kong,
says Cloudmark researcher Andrew Conway. The Hong Kong server next sends
the handset a list of 50 phone numbers, copies of viral messages and
instructions to begin sending the messages to each of the numbers.

Previously, Android spammers had to assemble and activate dozens of
SIM cards - the chip at the heart of cellphones - and each card acted as
an individual spam-blasting phone. But that can get expensive, and
carriers have gotten better at detecting and blocking such campaigns.

Using infected Android handsets, instead, is akin to how spammers use infected PCs to spread spam.

"If
they can get their malware on a bunch of different handsets, and,
indeed, have enough handsets so it's difficult for them all to get
detected and shut down, that vastly improves the economics for
spammers," Conway says.

The victim can lose in two ways. If they
don't have an unlimited texting plan, the next phone bill could be a
whopper. It takes about 65 seconds to automatically text 50 phone
numbers, after which the Hong Kong server sends a fresh batch of
numbers. So each infected phone can blast thousands of viral text
messages a day.

What's more, the malicious program also blocks
incoming messages from anyone not on the user's contact list. "So the
phone company or a friend can't text you back and say, 'Stop sending me
spam,'" Conway says.

In such cases, the carrier could decide to unilaterally shut down the user's text-messaging capabilities, he says.

Cloudmark
estimates that only a few thousand Android smartphones have been
infected, though tainted text messages continue to circulate. More
worrisome is the notion that this attack could be a precursor of what's
to come in 2013, especially for Android users.

Apple, Microsoft
and Research In Motion smartphones are much less targeted. That's
because Google designed Android as an open system, making it easy for
handset makers and Web-application developers to jump on board. Android
has become the world's most popular smartphone platform. But it has
also become the biggest hacker target.

Juniper Networks has
tracked a 350% increase in malicious and invasive apps targeting mostly
Android users in 12 months through the end of October. "Attacks are
becoming more malicious and clandestine," says Juniper's Hoffman.

Conway
advises Android users to stick strictly to Google's official
application store, Google Play, and ignore unsolicited offers that
arrive by text message. If you see a suspicious text message offer,
forward it in a text message to 7726, a free service set up by the
carriers to eliminate spam.

Google Play is a "99.99% trustworthy" because the search giant is on high alert for hackers and fixes any breaches quickly.

"You're
much safer going to Google Play than from any other source, especially
ones from Asia," Conway says. "If an offer is too good to be true, it's
a fake."